The stored cross‑site scripting flaw in the Jenkins buildgraph‑view plugin enables attackers who can configure jobs or views to inject malicious JavaScript that is persisted in the build URL. When the affected page loads, the unsanitized URL is rendered, allowing the injected code to execute in the context of any user that views the page. This can lead to theft of session cookies, session hijacking, or arbitrary actions performed under the victim’s privileges, thereby compromising confidentiality and integrity of the Jenkins instance.

The vulnerability is present in the Jenkins Project’s buildgraph‑view plugin version 1.8 and earlier. Any Jenkins deployment that uses these plugin versions without a newer release is susceptible. The issue is confined to the plugin itself and does not affect the core Jenkins code base.

The CVSS score of 5.5 indicates a moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation at this time. Exploitation requires permissions to configure jobs or views; thus, it is most appropriate for attackers who already have administrative or equivalent rights within the Jenkins environment, or who can gain such privileges through social engineering or lateral movement. The risk remains moderate with potential for significant impact if the attacker can reach high‑privilege users.